Data Security and Encryption (CSE348) 1. Lecture # 28 2.

Data Security and Encryption

(CSE348)

1

Lecture # 28

2

Review

• have considered:– various malicious programs– trapdoor, logic bomb, trojan horse, zombie– viruses– worms– distributed denial of service attacks

3

Chapter 20 – Firewalls

4

Introduction• Information systems in corporations, government

agencies, and other organizations have undergone a steady evolution from mainframes to LANs

• Internet connectivity is no longer optional, with information and services essential to the organization

• Moreover, individual users want and need Internet access

5

Introduction• However, while Internet access provides benefits, it

enables the outside world to reach

• And interact with local network assets, creating a threat to the organization

• While it is possible to equip each workstation and server on the premises network with strong security features

• This is not a practical approach in general

6

Introduction• Firewalls can be an effective means of protecting a

local system or network of systems from network-based security threats

• While at the same time affording access to the outside world via wide area networks and the Internet

• However they need to be part of a wider security strategy including host security

7

Introduction

• Seen evolution of information systems• Now everyone want to be on the Internet • And to interconnect networks • Has persistent security concerns– can’t easily secure every system in org

• Typically use a Firewall• To provide perimeter defence• As part of comprehensive security strategy

8

What is a Firewall?

• A firewall is inserted between the premises network and the Internet

• To establish a controlled link and to erect an outer security wall or perimeter

• Forming a single choke point where security and audit can be imposed

9

What is a Firewall?

A firewall:1.defines a single choke point that keeps unauthorized users out of the protected network

•Prohibits potentially vulnerable services from entering or leaving the network

•and provides protection from various kinds of IP spoofing and routing attacks

10

What is a Firewall?

2. Provides a location for monitoring security-related events

3. A convenient platform for several Internet functions that are not security related

• such as NAT and Internet usage audits or logs

11

What is a Firewall?

4. A firewall can serve as the platform for IPSec to implement virtual private networks

• The firewall itself must be immune to penetration

• since it will be a target of attack

12

What is a Firewall?• A choke point of control and monitoring • Interconnects networks with differing trust• Imposes restrictions on network services– only authorized traffic is allowed

• Auditing and controlling access– can implement alarms for abnormal behavior

• Provide NAT & usage monitoring• Implement VPNs using IPSec• Must be immune to penetration

13

What is a Firewall?

14

What is a Firewall?

15

• Stallings Figure 22.1a illustrates the general model of firewall use on the security perimeter

• As a choke point for traffic between the external less-trusted Internet and the internal more trusted private network

Firewall Limitations• Cannot protect from attacks bypassing it– eg sneaker net, utility modems, trusted

organisations, trusted services (eg SSL/SSH)• Cannot protect against internal threats– eg dissatisfied or colluding employees

• Cannot protect against access via WLAN– if improperly secured against external use

• Cannot protect against malware imported via laptop, PDA, storage infected outside

16

Firewalls – Packet Filters• Simplest, fastest firewall component • Foundation of any firewall system • Examine each IP packet (no context) and permit or

deny according to rules • Hence restrict access to services (ports)• Possible default policies– that not expressly permitted is prohibited – that not expressly prohibited is permitted

17

Firewalls – Packet Filters

18

Firewalls – Packet Filters

19

• Stallings Figure above illustrates the packet filter firewall role as utilizing information from the transport

• Network & data link layers to make decisions on allowable traffic flows

• And its placement in the border router between the external less-trusted Internet and the internal more trusted private network

Firewalls – Packet Filters

20

Firewalls – Packet Filters

21

Stallings Table gives some examples of packet-filtering rule sets

In each set, the rules are applied top to bottom

A. Inbound mail is allowed to a gateway host only port 25 is for SMTP incoming

B. Explicit statement of the default policy

Firewalls – Packet Filters

22

C. Tries to specify that any inside host can send mail to the outside, but has problem that an outside machine could be configured to have some other application linked to port 25

D. Properly implements mail sending rule, by checking ACK flag of a TCP segment is set

E. This rule set is one approach to handling FTP connections

Attacks on Packet Filters

• IP address spoofing– fake source address to be trusted– add filters on router to block

• Source routing attacks– attacker sets a route other than default– block source routed packets

• Tiny fragment attacks– split header info over several tiny packets– either discard or reassemble before check

23

Firewalls – Stateful Packet Filters

• Traditional packet filters do not examine higher layer context– i.e. matching return packets with outgoing flow

• Stateful packet filters address this need• They examine each IP packet in context– keep track of client-server sessions– check each packet validly belongs to one

• Hence are better able to detect bogus packets out of context

• May even inspect limited application data

24

Firewalls - Application Level Gateway (or Proxy)

• Have application specific gateway / proxy • Has full access to protocol – user requests service from proxy – proxy validates request as legal – then actions request and returns result to user– can log / audit traffic at application level

• Need separate proxies for each service – some services naturally support proxying – others are more problematic

25

Firewalls - Application Level Gateway (or Proxy)

26

Firewalls - Circuit Level Gateway

• Relays two TCP connections• Imposes security by limiting which such connections

are allowed• Once created usually relays traffic without examining

contents• Typically used when trust internal users by allowing

general outbound connections• SOCKS is commonly used

27

Firewalls - Circuit Level Gateway

28

Firewalls - Circuit Level Gateway

29

• Stallings Figure above illustrates a circuit-level gateway

• Showing how it relays between 2 TCP connections

• It can be implemented in a stand-alone system

• or can be a specialized function in an application-level gateway for certain applications

Firewalls - Circuit Level Gateway

30

• Relaying UDP packets is more problematical

• Because of the lack of connection context

• And require a parallel TCP connection to provide these details

Bastion Host• Highly secure host system

• Runs circuit / application level gateways

• or provides externally accessible services

• Potentially exposed to "hostile" elements

31

Bastion Host• Hence is secured to withstand this– hardened O/S, essential services, extra auth– proxies small, secure, independent, non-privileged

• May support 2 or more net connections

• May be trusted to enforce policy of trusted separation between these net connections

32

Host-Based Firewalls

• s/w module used to secure individual host– available in many operating systems – or can be provided as an add-on package

• often used on servers• advantages:– can tailor filtering rules to host environment– protection is provided independent of topology– provides an additional layer of protection

33

Personal Firewalls• Controls traffic between PC/workstation and Internet

or enterprise network• A software module on personal computer• Or in home/office DSL/cable/ISP router• Typically much less complex than other firewall types• Primary role to deny unauthorized remote access to

the computer• And monitor outgoing activity for malware

34

Personal Firewalls

35

Personal Firewalls

36

• An example of a personal firewall is the capability built in to the Mac OS X operating system

• When the user enables the personal firewall in Mac OS X, all inbound connections are denied except for those the user explicitly permits

• Stallings Figure above shows this simple interface

Personal Firewalls

37

• There is a list of inbound services that can be selectively re-enabled, with their port numbers

• For increased protection, advanced firewall features are available through easy-to- configure checkboxes

• Stealth mode hides the Mac on the Internet by dropping unsolicited communication packets, making it appear as though no Mac is present

Personal Firewalls

38

• UDP packets can be blocked, restricting network traffic to TCP packets only for open ports

• The firewall also supports logging, an important tool for checking on unwanted activity

• Similar features are provided by the firewalls provided in Windows and Linux systems

Firewall Configurations

39

Firewall Configurations

40

• As Figure above indicates, a firewall is positioned to provide a protective barrier between an external

• potentially untrusted source of traffic and an internal network

• With that general principle in mind, a security administrator must decide on the location and on the number of firewalls needed

Firewall Configurations

41

• In addition to the use of a simple configuration consisting of a single system

• More complex configurations are possible and indeed more common

• Stallings Figure 20.2 illustrates three common firewall configurations

• Figure 20.2a shows the “screened host firewall, single-homed bastion configuration”

Firewall Configurations

42

• Where the firewall consists of two systems: • A packet-filtering router - allows Internet

packets to/from bastion only • a bastion host - performs authentication and

proxy functions

• This configuration has greater security, as it implements both packet-level & application-level filtering

Firewall Configurations

43

• Forces an intruder to generally penetrate two separate systems to compromise internal security

• Also affords flexibility in providing direct Internet access to specific internal servers (e.g. web) if desired

Firewall Configurations

44

Firewall Configurations

45

• Stallings Figure above illustrates the “screened host firewall, dual-homed bastion configuration”

• which physically separates the external and internal networks

• Ensuring two systems must be compromised to breach security

• The advantages of dual layers of security are also present here

Firewall Configurations

46

• Again, an information server or other hosts can be allowed direct communication with the router if this is in accord with the security policy

• But are now separated from the internal network

Firewall Configurations

47

Firewall Configurations

48

• Stallings Figure above shows the “screened subnet firewall configuration”, being the most secure

• It has two packet-filtering routers, one between the bastion host and the Internet

• And the other between the bastion host and the internal network, creating an isolated subnetwork

Firewall Configurations

49

• This may consist of simply the bastion host but may also include one or more information servers and modems for dial-in capability

• Typically, both the Internet and the internal network have access to hosts on the screened subnet

• But traffic across the screened subnet is blocked

Firewall Configurations

50

This configuration offers several advantages:

•There are now three levels of defense to thwart intruders

•The outside router advertises only the existence of the screened subnet to the Internet

•Therefore the internal network is invisible to the Internet

Firewall Configurations

51

• Similarly, the inside router advertises only the existence of the screened subnet to the internal network

• Hence systems on the inside network cannot construct direct routes to the Internet

Virtual Private Networks

52

Virtual Private Networks

53

• In today's distributed computing environment, the virtual private network (VPN) offers an attractive solution to network managers

• The VPN consists of a set of computers that interconnect by means of a relatively unsecure network

• And that make use of encryption and special protocols to provide security

Virtual Private Networks

54

• At each corporate site, workstations, servers, and databases are linked by one or more local area networks (LANs)

• The Internet or some other public network can be used to interconnect sites

• Providing a cost savings over the use of a private network

Virtual Private Networks

55

• And offloading the wide area network management task to the public network provider

• That same public network provides an access path for telecommuters

• And other mobile employees to log on to corporate systems from remote sites

Virtual Private Networks

56

• A logical means of implementing an IPSec is in a firewall

• If IPSec is implemented in a separate box behind (internal to) the firewall

• Then VPN traffic passing through the firewall in both directions is encrypted

Virtual Private Networks

57

• In this case, the firewall is unable to perform its filtering function or other security functions, such as access control, logging, or scanning for viruses

• IPSec could be implemented in the boundary router, outside the firewall

• However, this device is likely to be less secure than the firewall and thus less desirable as an IPSec platform

Distributed Firewalls

58

Distributed Firewalls

59

• A distributed firewall configuration involves stand-alone firewall devices plus host-based firewalls working together under a central administrative control

• Stallings Figure above suggests a distributed firewall configuration

• Administrators can configure host-resident firewalls • on hundreds of servers, workstation as well as configure

personal firewalls on local and remote user systems

Distributed Firewalls

60

• Tools let the network administrator set policies and monitor security across the entire network

• These firewalls protect against internal attacks and provide protection tailored to specific machines and applications

• Stand-alone firewalls provide global protection, including internal firewalls and an external firewall, as discussed previously

Distributed Firewalls

61

• With distributed firewalls, it may make sense to establish both an internal and an external DMZ (demilitarized zone)

• Web servers that need less protection because they have less critical information on them could be placed in an external DMZ, outside the external firewall

Distributed Firewalls

62

• What protection is needed is provided by host-based firewalls on these servers

• An important aspect of a distributed firewall configuration is security monitoring

• Such monitoring typically includes • log aggregation and analysis, firewall statistics, and

fine-grained remote monitoring of individual hosts if needed

Summary of Firewall Locations and Topologies

• The following alternatives can be identified:

• Host-resident firewall: incl. personal firewall software and firewall software on servers, used alone or as part of an in-depth firewall deployment

• Screening router: A single router between internal and external networks with stateless or full packet filtering. Typical for small office/home office (SOHO) use

63

Summary of Firewall Locations and Topologies

• Single bastion inline: A single firewall device between an internal and external router

• The firewall may implement stateful filters and/or application proxies

• This is the typical firewall appliance configuration for small to medium-sized organizations

64

Summary of Firewall Locations and Topologies

• Single bastion T: Similar to single bastion inline but has a third network interface on bastion to a DMZ

• Where externally visible servers are placed

• Again, this is a common appliance configuration for medium to large organizations

65

Summary of Firewall Locations and Topologies

• Double bastion inline: In this configuration the DMZ is sandwiched between bastion firewalls

• This configuration is common for large businesses and government organizations

66

Summary of Firewall Locations and Topologies

• Double bastion T: The DMZ is on a separate network interface on the bastion firewall

• This configuration is also common for large businesses and government organizations and may be required

• For example, this configuration is required for Australian government use

67

Summary of Firewall Locations and Topologies

• Distributed firewall configuration: This configuration is used by some large businesses and government organizations

68

Summary of Firewall Locations and Topologies

• host-resident firewall• screening router• single bastion inline• single bastion T• double bastion inline• double bastion T• distributed firewall configuration

69

Summary

• have considered:– firewalls– types of firewalls• packet-filter, stateful inspection, application proxy,

circuit-level– basing• bastion, host, personal

– location and configurations• DMZ, VPN, distributed, topologies

70